Privacy Policy

PRIVACY POLICY

REGARDING THE DATA PROCESSING OF THE WEBSHOP OPERATED BY KECSKEMÉTFILM KFT.

 

  1. GENERAL PROVISIONS

 

  1. The purpose of Privacy Policy

 

KECSKEMÉTFILM Kft. (Hereinafter: Data Controller) provides information in this Privacy Policy regarding the data processing of the webshop operated by it on the magyarnepmesek.eu website.

Data protection is a set of principles, rules, procedures, data management tools and methods that ensure the lawful processing of personal data and the protection of data subjects, with the aim of protecting the rights of data subjects and preventing unauthorized access to personal data.

This Privacy Policy’s purpose is to establish those internal regulations and measures which aim to ensure the compliance of data processing activity of KECSKEMÉTFILM Kft. as Data Controller, with the REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter: Regulation, GDPR),- furthermore to ensure compliance with the regulations of Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (hereinafter: Info Law).

Issues not covered by this document are governed by the applicable laws.

 

The Data Controller gives priority to the protection of the privacy and personal data of the persons who come into contact with it during, continuously complying with the principle of accountability to the data subjects. In accordance with this, the Data Controller handles the personal data provided to it in all cases in compliance with the applicable Hungarian and European Union legislation and ethical requirements, and in all cases takes the technical and organizational measures necessary for proper secure and lawful data management.

 

  1. Scope of data management

The personal scope of this Privacy Policy extends to the visitors and registered users, Customers and the business contacts of the webshop operated on www.magyarnepmesek.eu website of KECSKEMÉTFILM Kft (hereinafter: the Data Subject).

In this Privacy Policy, the Data Controller provides detailed information on the essential circumstances, methods, principles, legal basis, purpose and duration of data management during the operation of the KECSKEMÉTFILM Kft. webshop and on the kecskemetfilm.hu website.

  1. Name and contact details of Data Controller


Kecskeméti Animációs Filmgyártó és Forgalmazó Korlátolt Felelősségű Társaság
short name: KECSKEMÉTFILM Kft.
registered seat: H-6000 Kecskemét, Liszt Ferenc utca 21.
company registry no.: Cg. 03 09 102262
solely represented by: MIKULÁS Ferenc, Executive Director
 
tax no.: 11029245-2-03
electronic contact: kfilm@kecskemetfilm.hu
website: www.kecskemetfilm.hu, www.magyarnepmesek.eu
phone no.: 00 36 76 481788
hereinafter: Company or Data Controller

 

  1. Definitions

 

’Personal data’ means any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

’Data subject’ is any identified or identifiable natural person, whose personal data is processed by the controller responsible for the processing.

’Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. 

Controller or controller responsible for the processingis the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. 

Processoris a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. 

 ’Consent of the data subject’ is any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. 

 Recipientis a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing. 

Third partyis a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

Personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

‘Biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;

Special categories of personal data’ are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as genetic and biometric data for the unique identification of natural persons, health data and the sexual life or sexual orientation of natural persons; personal data which are prohibited under Article 9 (1) of the GDPR may be processed only in the exceptional cases provided for in Article 9 (2) of the GDPR, in particular with the express consent of the data subject.

 

 

  1. INFORMATION ON DATA MANAGEMENTS FOR EACH CATEGORY OF DATA

Data category

Personal data of data subjects processed

Legal basis for data processing

Purpose of data processing

Duration of data processing

REGISTRATION RELATED DATA

  • username
  • e-mail address
  • password

 

Freely given consent of the data subject under Article 6 (1) (a) of the GDPR expressed by the implied behaviour by ticking the relevant checkbox.

 

 

  • create a registration
  • identification
  • contact

 

Until withdrawal of consent.

DATA REQUESTED FROM THE DATA SUBJECTS AT THE TIME OF PURCHASE

  • name,
  • contact details, (address, e-mail address, telephone number)

 

 

 

 

 

 

  • billing information, (billing address, tax identification number, bank account number)
  • shipping information

 

 

With regard to contact details, freely given consent of the data subject under Article 6 (1) (a) of the GDPR.

 

 

 

 

 

 

 

In the case of billing data, compliance with the legal obligation of the Data Controller under Article 6 (1) (c) of the GDPR).

 

 

 

 

 

 

 

- concluding, amending, fulfilling and terminating the sales contract

- contact in order to enforce individual complaints and warranty claims

- issue of the invoice

- delivery of the product

 

- fulfil the statutory retention obligation for tax documents and accounting documents

- enforcement, in case of legal dispute, the provability of the content of the contractual relationship.

 

Until withdrawal of consent.

 

 

Pursuant to the obligation of the Data Controller in line with Section 169 of Act C of 2000 on Accounting (hereinafter: the “Accounting Act”), the accounting certificate shall be kept for 8 (eight) years after the termination of the Contract, in case of legal dispute, if the later date for the period of 5 (five) years following the conclusion of the legal dispute, processes it on the legal basis of the fulfilment of its legal obligation.

The Data Controller shall comply with the provisions of Act CXXVII of 2007 on Value Added Tax. On the basis of its obligation under Section 179 of the VAT Act (hereinafter: “VAT Act”), it handles the documents issued by it and in its possession or otherwise available to it and the personal data contained therein, at least until the right to determine the tax expires.

The Data Controller shall comply with the 2017 CL. on the basis of the obligation pursuant to Section 78 (3) of the Act (hereinafter: “Art.”), the documents issued by it and in its possession or otherwise available and the personal data contained therein until the expiry of the right to assess the tax , in the case of a deferred tax, for 5 (five) years from the last day of the calendar year of its due date, and in the case of a legal dispute for 5 (five) years after its conclusion.

 

The source of the data is the data subject himself/herself.

 

NAME AND CONTACT DETAILS OF DATA CONTROLLERS

Website operation

Virtualcom Szoftverház Korlátolt Felelősségű Társaság

short name: Virtualcom Szoftverház Kft.

registered office: HU-6034 Helvécia, Taál B u 23.

email: info@virtualcom.hu

 

The data processor operating the IT system of our company:

System administrator

BESTCOM Pénzügyi Tanácsadó és Számítástechnikai Szolgáltató Korlátolt Felelősségű Társaság

short name: BESTCOM Kft.

registered office: HU-6000 Kecskemét, Kőhíd utca 10.

email: bestcom@bestcom.hu

 

In all its activities, the Data Controller uses only such partners (subcontractors) who comply with the requirements of the data protection legislation in force at any time.

 

Email server: Google LLC (cloud), hosting: Google LLC (Google Drive)

Google LLC (cloud), hosting: For information about GDPR compliance with Google LLC (Google Drive), visit:

https://cloud.google.com/security/gdpr#tab7

The GDPR compliance of Google LLC’s services is ensured by the fact that the data protection complience of the contractual clauses of the Google model has been recognized by the European Data Protection Authorities (DPA’s), given that G Suite and the Google Cloud Platform the transfer to any part of the world fully complies with the legal requirements of the GDPR.

 

III. INFORMATION ON THE TRANSMISSION OF DATA - RECIPIENTS OF THE TRANSMISSION OF DATA

 

Personal data will be transmitted for postal service and delivery company: Magyar Posta Zrt. and the authorized courier service (GLS General Logistics Systems Hungary Kft., FedEx Trade Networks Transport & Brokerage (Hungary) Kft.).

In addition, the data of the data subject - if absolutely necessary e.g. in connection with a legal dispute or in order to make a financial or accounting assessment of an economic event - they may be transferred on an ad hoc basis to the service providers entrusted by the data controller, e.g. lawyers, auditors, financial advisers who are bound by professional or contractual confidentiality.

 

The name and contact details of the winner will be forwarded to the supporting companies or organizations offering the prize.

 

The recipients process the personal data transmitted to them as an independent data controller, in accordance with the provisions of their own Privacy Policy, and joint data management does not take place.

The Data Controller does not intend to transfer the personal data of the data subject to a third country (not a non-EEA Member State), for which this cannot be excluded, he draws special attention to this in this document.

 

Newsletter

The web store does not operate a newsletter sending service.

 

  1. PRINCIPLES OF DATA MANAGEMENT

 

The GDPR stipulates that the Data Controller's data processing activities must comply with the principles listed below in Article 5 of the GDPR, throughout the period of data processing. The Data Controller is committed to continuously enforcing the principles and regulations of the GDPR in the course of its personal data management activities.

 

  1. Lawfulness, fairness and transparency

 

Data processing must be lawful, fair and transparent throughout the data processing period (Article 5 (1) (a) GDPR). The Data Controller shall ensure the transparency of its data processing by publishing this Privacy Policy or by directly informing the data subjects as defined in Article 13 of the GDPR (where applicable in accordance with Article 14). This Privacy Policy contains detailed information regarding the data processing of the Data Controller in relation to the data subjects, the scope of the data processed, the title of the data processing, the duration of the data processing and the rights of the data subjects concerned. The Data Controller shall provide basic information related to data processing by providing direct information in accordance with Article 13 and, if necessary, Article 14. The Data Controller ensures the lawfulness of data processing by carrying out its data processing activities on the grounds specified in Article 6 of the GDPR, in these Privacy Policy and other data processing-related documents, in accordance with the GDPR principles.

  1.  The Data Controller ensures the fairness of data processing by providing adequate information, making the data processing process transparent to the various data subjects, explaining the content of data processing legislation, the rights of data subjects, and implementing organizational measures to ensure data security.
  2. The purpose of all these measures is for the Data Controller to assist all data subjects in exercising their rights under the GDPR.

 

Purpose limitation

 

The purpose limitation principle means that the Data Controller may only process personal data for a clearly defined, legitimate purpose (Article 5 (1) (b) GDPR). The purpose limitation principle also means that the collection of data and other data processing operations (eg recording, storage, transmission, deletion, etc.) must be tailored to the purpose of the data management. It follows from the purpose limitation principle that personal data may only be processed until the purpose of the data processing has been achieved. Thus, if a data processing purpose has been achieved, personal data can only be further processed on the basis of an additional data processing purpose or title.

The Data Controller processes the personal data of the data subjects for the purpose indicated in the table.

 

 

  1. Data minimisation

 

The principle of data protection means that only data that are strictly necessary for the purposes of data processing can be lawfully processed (Article 5 (1) (c) GDPR).

 

  1. Accuracy

 

The principle of accuracy means that the data stored in the registration systems must be accurate throughout the data processing process (Article 5 (1) (d) GDPR). If the data is inaccurate or incorrect, the Data Controller, in cooperation with the data subject, shall ensure the restoration of the accuracy of the data on the basis of the data subject's request.

 

The Data Controller hereby requests the kind participation of the users and the customers in order to contribute to the up-to-dateness of the data management and to notify KECSKEMÉTFILM Kft. Of any changes in their data (especially: the delivery address).

 

 

  1. Storage limitation

 

The principle of limited storage means that personal data may only be stored for as long as the purpose of the processing is achieved, ie personal data may not be accumulated or stored for an indefinite period (Article 5 (1) (e) GDPR). The principle of limited storage is reflected in the data controller's obligation to determine the duration of the data processing and, if this is not possible, the criteria for determining the duration. The Data Controller is obliged to inform the data subject about the above circumstances. The Data Controller shall enforce the principle of limited storageability with respect to the data processed in the framework of the provision of services as follows, based on the provisions of the applicable legislation. The Data Controller is entitled to process personal data only to the extent, in the manner and for the time necessary to perform the tasks of the Data Controller.

 

  1.  Integrity and Confidentiality

 

Maintaining integrity and confidentiality means that the Data Controller must protect personal data with organizational and security measures that guarantee adequate data security, damage resulting from unauthorized or unlawful handling, accidental loss, destruction or damage (Article GDPR5 (Paragraph 1 (e)).

The Data Controller treats the personal data provided to it as confidential. The personal data of the data subjects may be accessed by the employees and agents of the Data Controller who, based on their job or duties, with the social and educational activities of the Data Controller and with the managerial and administrative tasks ensuring the operation of the Data Controller.

 

  1. Accountability

 

The principle of accountability means that the controller must be able to demonstrate the lawfulness of the processing, ie compliance with the GDPR (Article 5 (2) GDPR). For the sake of accountability, the Data Controller keeps a record of the transfer and publication of the necessary information, the data processing performed by him, the measures taken for data security, data protection incidents and requests related to data protection, and documents his data management activities in accordance with the GDPR.

 

  1. RIGHTS OF THE DATA SUBJECT

 

The data subject may contact the Data Controller regarding the enforcement of his / her rights related to data management and his / her questions at the contact details included in this Privacy Policy.

The Data Controller shall inform the data subject of his / her actions or the reasons for their non-compliance within one month after the submission of the data subject's request (the data subject may file a complaint in this connection), this period may be extended by 2 months if necessary.

The procedure is free of charge (if justified and not excessive) and preferably electronic.

The Data Controller shall inform all recipients to whom or with whom the personal data have been communicated of any rectification, erasure or restriction of data processing, unless this proves impossible or requires a disproportionate effort. Upon request, the Data Controller shall inform the data subject of these recipients.

 

  • a) Right of confirmation

Each data subject shall have the right to obtain from the controller the confirmation as to whether or not personal data concerning him or her are being processed. If a data subject wishes to avail himself of this right of confirmation, he or she may, at any time, contact any employee of the Controller.

  • b) Right of access

Each data subject shall have the right to obtain from the controller free information about his or her personal data stored at any time and a copy of this information. Furthermore, the European directives and regulations grant the data subject access to the following information:

    • the purposes of the processing;
    • the categories of personal data concerned;
    • the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
    • where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
    • the existence of the right to request from the controller rectification or erasure of personal data, or restriction of processing of personal data concerning the data subject, or to object to such processing;
    • the existence of the right to lodge a complaint with a supervisory authority;
    • where the personal data are not collected from the data subject, any available information as to their source;
    • the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject.

Furthermore, the data subject shall have a right to obtain information as to whether personal data are transferred to a third country or to an international organisation. Where this is the case, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer.

If a data subject wishes to avail himself of this right of access, he or she may, at any time, contact any employee of the controller.

  • c) Right to rectification 

Each data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

If a data subject wishes to exercise this right to rectification, he or she may, at any time, contact any employee of the controller.

  • d) Right to erasure (Right to be forgotten) 

Each data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay, and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies, as long as the processing is not necessary: 

    • The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
    • The data subject withdraws consent to which the processing is based according to point (a) of Article 6(1) of the GDPR, or point (a) of Article 9(2) of the GDPR, and where there is no other legal ground for the processing.
    • The data subject objects to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) of the GDPR. 
    • The personal data have been unlawfully processed.
    • The personal data must be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
    • The personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR.

If one of the aforementioned reasons applies, and a data subject wishes to request the erasure of personal data stored by the Data Controller, he or she may, at any time, contact any employee of the controller. An employee of Data Controller shall promptly ensure that the erasure request is complied with immediately.

Where the controller has made personal data public and is obliged pursuant to Article 17(1) to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform other controllers processing the personal data that the data subject has requested erasure by such controllers of any links to, or copy or replication of, those personal data, as far as processing is not required. Employees of the Data Controller will arrange the necessary measures in individual cases.

  • e) Right of restriction of processing

Each data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

    • The accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data. 
    • The processing is unlawful and the data subject opposes the erasure of the personal data and requests instead the restriction of their use instead.
    • The controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims.
    • The data subject has objected to processing pursuant to Article 21(1) of the GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.

If one of the aforementioned conditions is met, and a data subject wishes to request the restriction of the processing of personal data stored by Data Controller, he or she may at any time contact any employee of the controller. The employee of the Data Controller will arrange the restriction of the processing. 

  • f) Right to data portability

Each data subject shall have the right, to receive the personal data concerning him or her, which was provided to a controller, in a structured, commonly used and machine-readable format. He or she shall have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, as long as the processing is based on consent pursuant to point (a) of Article 6(1) of the GDPR or point (a) of Article 9(2) of the GDPR, or on a contract pursuant to point (b) of Article 6(1) of the GDPR, and the processing is carried out by automated means, as long as the processing is not necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Furthermore, in exercising his or her right to data portability pursuant to Article 20(1) of the GDPR, the data subject shall have the right to have personal data transmitted directly from one controller to another, where technically feasible and when doing so does not adversely affect the rights and freedoms of others.

In order to assert the right to data portability, the data subject may at any time contact any employee of the Data Controller.

  • g) Right to object

Each data subject shall have the right granted by the European legislator to object, on grounds relating to his or her particular situation, at any time, to processing of personal data concerning him or her, which is based on point (e) or (f) of Article 6(1) of the GDPR. This also applies to profiling based on these provisions.

Data Controller shall no longer process the personal data in the event of the objection, unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.

If the Data Controller processes personal data for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing. This applies to profiling to the extent that it is related to such direct marketing. If the data subject objects to the Data Controller to the processing for direct marketing purposes, the Data Controller will no longer process the personal data for these purposes.

In addition, the data subject has the right, on grounds relating to his or her particular situation, to object to processing of personal data concerning him or her by the Data Controller for scientific or historical research purposes, or for statistical purposes pursuant to Article 89(1) of the GDPR, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

In order to exercise the right to object, the data subject may contact any employee of the Data Controller. In addition, the data subject is free in the context of the use of information society services, and notwithstanding Directive 2002/58/EC, to use his or her right to object by automated means using technical specifications.

  • h) Automated individual decision-making, including profiling

Each data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her, or similarly significantly affects him or her, as long as the decision (1) is not is necessary for entering into, or the performance of, a contract between the data subject and a data controller, or (2) is not authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, or (3) is not based on the data subject's explicit consent.

If the decision (1) is necessary for entering into, or the performance of, a contract between the data subject and a data controller, or (2) it is based on the data subject's explicit consent, the Data Controller shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and contest the decision.

If the data subject wishes to exercise the rights concerning automated individual decision-making, he or she may, at any time, contact any employee of the Data Controller.

  • i) Right to withdraw data protection consent 

Each data subject shall have the right granted by the European legislator to withdraw his or her consent to processing of his or her personal data at any time. 

If the data subject wishes to exercise the right to withdraw the consent, he or she may, at any time, contact any employee of the Data Controller.

 

ENFORCEMENT

Without prejudice to other administrative or judicial remedies, any data subject shall have the right to complain to a supervisory authority, in particular in the Member State of his or her habitual residence, place of employment or suspected infringement, if he considers that the processing of personal data concerning him violates the GDPR.

 

Anyone may file a complaint with the National Data Protection and Freedom of Information Authority (in Hungarian: Nemzeti Adatvédelmi és Információszabadság Hatóság) alleging that there has been or is an imminent threat of a breach of the right to process personal data.

Name: National Data Protection and Freedom of Information Authority

(in Hungarian: Nemzeti Adatvédelmi és Információszabadság Hatóság NAIH)

Head office: 1055 Budapest, Falk Miksa u. 9-11.

Phone: 391-1400 Fax: 391-1410

Website: http: //www.naih.hu E-mail: ugyfelszolgalat@naih.hu

 

The supervisory authority to which the complaint has been lodged must keep the customer informed of the progress of the complaint procedure and its outcome, including the customer's right to a judicial remedy under Article 78.

 

Judicial remedies: Proceedings against the controller must be brought before the courts of the Member State in which the controller is established (Hungary), but may also be brought before the courts of the Member State of the habitual residence of the data subject.

 

Without prejudice to other administrative or non-judicial remedies, all natural and legal persons shall have the right to an effective judicial remedy against a legally binding decision of the supervisory authority.